Line 1... |
Line 1... |
1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
2 |
# $Id: alcasar.sh 355 2010-11-30 23:00:46Z richard $
|
2 |
# $Id: alcasar.sh 358 2010-12-02 22:34:25Z franck $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
|
7 |
|
Line 208... |
Line 208... |
208 |
# On mets à jour le système
|
208 |
# On mets à jour le système
|
209 |
urpmi --auto --auto-update
|
209 |
urpmi --auto --auto-update
|
210 |
# On installe les paquetages complémentaires
|
210 |
# On installe les paquetages complémentaires
|
211 |
urpmi --auto $PACKAGES
|
211 |
urpmi --auto $PACKAGES
|
212 |
# On empêche les mises à jour de coova-chilli et freeradius par le biais des dépôts
|
212 |
# On empêche les mises à jour de coova-chilli et freeradius par le biais des dépôts
|
213 |
echo -n "/^coova/" >> /etc/urpmi/skip.list
|
213 |
for rpmskip in coova freeradius
|
- |
|
214 |
do
|
214 |
echo -n "/^freeradius/" >> /etc/urpmi/skip.list
|
215 |
echo -n "/^$rpmskip/" >> /etc/urpmi/skip.list
|
- |
|
216 |
done
|
215 |
# On supprime les paquetages, les services et les utilisateurs inutiles
|
217 |
# On supprime les paquetages, les services et les utilisateurs inutiles
|
216 |
for rm_rpm in dhcp-server avahi mandi shorewall libc-icap0 cyrus-sasl
|
218 |
for rm_rpm in dhcp-server avahi mandi shorewall libc-icap0 cyrus-sasl
|
217 |
do
|
219 |
do
|
218 |
/usr/sbin/urpme --auto $rm_rpm --auto-orphans
|
220 |
/usr/sbin/urpme --auto $rm_rpm --auto-orphans
|
219 |
done
|
221 |
done
|
Line 528... |
Line 530... |
528 |
AllowOverride None
|
530 |
AllowOverride None
|
529 |
Order deny,allow
|
531 |
Order deny,allow
|
530 |
Deny from all
|
532 |
Deny from all
|
531 |
Allow from 127.0.0.1
|
533 |
Allow from 127.0.0.1
|
532 |
Allow from $PRIVATE_NETWORK_MASK
|
534 |
Allow from $PRIVATE_NETWORK_MASK
|
- |
|
535 |
# Allow from $SRC_ADMIN
|
533 |
require valid-user
|
536 |
require valid-user
|
534 |
AuthType digest
|
537 |
AuthType digest
|
535 |
AuthName $HOSTNAME
|
538 |
AuthName $HOSTNAME
|
536 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
539 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
537 |
AuthUserFile $DIR_ACC/digest/key_all
|
540 |
AuthUserFile $DIR_ACC/digest/key_all
|
Line 542... |
Line 545... |
542 |
AllowOverride None
|
545 |
AllowOverride None
|
543 |
Order deny,allow
|
546 |
Order deny,allow
|
544 |
Deny from all
|
547 |
Deny from all
|
545 |
Allow from 127.0.0.1
|
548 |
Allow from 127.0.0.1
|
546 |
Allow from $PRIVATE_NETWORK_MASK
|
549 |
Allow from $PRIVATE_NETWORK_MASK
|
- |
|
550 |
# Allow from $SRC_ADMIN
|
547 |
require valid-user
|
551 |
require valid-user
|
548 |
AuthType digest
|
552 |
AuthType digest
|
549 |
AuthName $HOSTNAME
|
553 |
AuthName $HOSTNAME
|
550 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
554 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
551 |
AuthUserFile $DIR_ACC/digest/key_admin
|
555 |
AuthUserFile $DIR_ACC/digest/key_admin
|
Line 556... |
Line 560... |
556 |
AllowOverride None
|
560 |
AllowOverride None
|
557 |
Order deny,allow
|
561 |
Order deny,allow
|
558 |
Deny from all
|
562 |
Deny from all
|
559 |
Allow from 127.0.0.1
|
563 |
Allow from 127.0.0.1
|
560 |
Allow from $PRIVATE_NETWORK_MASK
|
564 |
Allow from $PRIVATE_NETWORK_MASK
|
- |
|
565 |
# Allow from $SRC_ADMIN
|
561 |
require valid-user
|
566 |
require valid-user
|
562 |
AuthType digest
|
567 |
AuthType digest
|
563 |
AuthName $HOSTNAME
|
568 |
AuthName $HOSTNAME
|
564 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
569 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
565 |
AuthUserFile $DIR_ACC/digest/key_manager
|
570 |
AuthUserFile $DIR_ACC/digest/key_manager
|
Line 570... |
Line 575... |
570 |
AllowOverride None
|
575 |
AllowOverride None
|
571 |
Order deny,allow
|
576 |
Order deny,allow
|
572 |
Deny from all
|
577 |
Deny from all
|
573 |
Allow from 127.0.0.1
|
578 |
Allow from 127.0.0.1
|
574 |
Allow from $PRIVATE_NETWORK_MASK
|
579 |
Allow from $PRIVATE_NETWORK_MASK
|
- |
|
580 |
# Allow from $SRC_ADMIN
|
575 |
require valid-user
|
581 |
require valid-user
|
576 |
AuthType digest
|
582 |
AuthType digest
|
577 |
AuthName $HOSTNAME
|
583 |
AuthName $HOSTNAME
|
578 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
584 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
579 |
AuthUserFile $DIR_ACC/digest/key_backup
|
585 |
AuthUserFile $DIR_ACC/digest/key_backup
|
Line 585... |
Line 591... |
585 |
Options Indexes
|
591 |
Options Indexes
|
586 |
Order deny,allow
|
592 |
Order deny,allow
|
587 |
Deny from all
|
593 |
Deny from all
|
588 |
Allow from 127.0.0.1
|
594 |
Allow from 127.0.0.1
|
589 |
Allow from $PRIVATE_NETWORK_MASK
|
595 |
Allow from $PRIVATE_NETWORK_MASK
|
- |
|
596 |
# Allow from $SRC_ADMIN
|
590 |
require valid-user
|
597 |
require valid-user
|
591 |
AuthType digest
|
598 |
AuthType digest
|
592 |
AuthName $HOSTNAME
|
599 |
AuthName $HOSTNAME
|
593 |
AuthUserFile $DIR_ACC/digest/key_backup
|
600 |
AuthUserFile $DIR_ACC/digest/key_backup
|
594 |
ErrorDocument 404 https://$PRIVATE_IP/
|
601 |
ErrorDocument 404 https://$PRIVATE_IP/
|
Line 871... |
Line 878... |
871 |
# Le filtrage est désactivé par défaut
|
878 |
# Le filtrage est désactivé par défaut
|
872 |
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf
|
879 |
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf
|
873 |
# la page d'interception est en français
|
880 |
# la page d'interception est en français
|
874 |
$SED "s?^language =.*?language = french?g" /etc/dansguardian/dansguardian.conf
|
881 |
$SED "s?^language =.*?language = french?g" /etc/dansguardian/dansguardian.conf
|
875 |
# on limite l'écoute de Dansguardian côté LAN
|
882 |
# on limite l'écoute de Dansguardian côté LAN
|
876 |
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" /etc/dansguardian/dansguardian.conf
|
883 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/dansguardian/dansguardian.conf
|
877 |
# on chaîne Dansguardian au proxy antivirus HAVP
|
884 |
# on chaîne Dansguardian au proxy antivirus HAVP
|
878 |
$SED "s?^proxyport.*?proxyport = 8090?g" /etc/dansguardian/dansguardian.conf
|
885 |
$SED "s?^proxyport.*?proxyport = 8090?g" /etc/dansguardian/dansguardian.conf
|
879 |
# on remplace la page d'interception (template)
|
886 |
# on remplace la page d'interception (template)
|
880 |
cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
|
887 |
cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
|
881 |
cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
|
888 |
cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
|
Line 953... |
Line 960... |
953 |
## - mise en place des règles et sauvegarde pour un lancement automatique ##
|
960 |
## - mise en place des règles et sauvegarde pour un lancement automatique ##
|
954 |
## - configuration Ulogd ##
|
961 |
## - configuration Ulogd ##
|
955 |
##################################################################################
|
962 |
##################################################################################
|
956 |
firewall ()
|
963 |
firewall ()
|
957 |
{
|
964 |
{
|
958 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
965 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
|
959 |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
966 |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
|
960 |
$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
967 |
$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
|
961 |
$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
968 |
$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
|
962 |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
|
969 |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
|
963 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
970 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
964 |
[ -e /var/log/firewall/firewall.log ] || touch /var/log/firewall/firewall.log
|
971 |
[ -e /var/log/firewall/firewall.log ] || touch /var/log/firewall/firewall.log
|
965 |
chown -R root:apache /var/log/firewall
|
972 |
chown -R root:apache /var/log/firewall
|
966 |
chmod 750 /var/log/firewall
|
973 |
chmod 750 /var/log/firewall
|